Date: Mon, 01 Mar 2004 02:25:30 +0100 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: "Shaun T. Erickson" <ste@ste-land.com> Cc: questions@freebsd.org Subject: Re: ipfw ruleset traversal question Message-ID: <20040301012530.GH42000@alex.lan> In-Reply-To: <40426EAD.50004@ste-land.com> References: <40426EAD.50004@ste-land.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 29, 2004 at 05:58:53PM -0500, Shaun T. Erickson wrote: > I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE. > > Iptables has the concept of "chains". There are three defined by the > system: INPUT, FORWARD & OUTPUT. Packets coming into the system that are > destined for a local process traverse the INPUT chain only, packet > generated by the system, and leaving it, traverse the OUTPUT chain only, > and packets that are simply passing through the system traverse the > FORWARD chain only. One nice benefit of this, is that inbound packets > don't have to traverse rules for outbound packets and vice-versa. This > allows efficient grouping of rules and reduces the performance hit of > packets having to be checked by all rules. > > How can I set up my ipfw ruleset so that I can achieve that same benefit? IPFW has one list of rules (with option to select in/out) that result in the behavure as you describe. I have a example on my home page where i select incomming and outging package. Forward is a action just like, skipto, reject, allow and deny are. See man ipfw for more info. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040301012530.GH42000>